01-18-2013 03:23 AM
I have a site-to-site vpn connection to a remote client site that can be accessed from the servers in the following access list
access-list MATCHJLS extended permit ip 78.129.xxx.0 255.255.255.128 object-group DM_INLINE_NETWORK_1
object-group network DM_INLINE_NETWORK_1 network-object host 172.19.60.52 network-object host 172.19.60.53 network-object host 172.19.60.68 network-object host 172.19.60.69 network-object host 172.19.60.84 network-object host 172.19.60.85 network-object host 172.19.60.86
I would also like 10.1.1.0/24 and 10.255.255.0/24 to access the remote site but the admin onsite says that NAT
should be used with the existing access and they won't add the additional rules due to a possible ip conflict.
I'm not sure how to do this. Any advice would be much appreciated.
01-19-2013 11:00 AM
Perfect. Now it's clear.
1. First test connectivity from LAN
nat (inside) 11 access-list policy-nat
global (outside) 11 78.129.151.86 (or any other free address)
2. If step 1 is working, test connectivity for vpn users
nat (outside) 10 access-list policy-nat-two
global (outside) 10 78.129.151.85
---
Michal
01-19-2013 11:11 AM
Thanks Michal
We are getting there...
1st test works ok. I can now access servers on remote site from systems on 10.1.1.0/24
VPN connection still cannot reach the remote site however.
These are the commands I sent -
Result of the command: "nat (inside) 11 access-list policy-nat"
The command has been sent to the device
Result of the command: "global (outside) 11 78.129.151.105"
INFO: Global 78.129.151.105 will be Port Address Translated
Result of the command: "nat (outside) 10 access-list policy-nat-two"
The command has been sent to the device
Result of the command: "global (outside) 10 78.129.151.106"
INFO: Global 78.129.151.106 will be Port Address Translated
01-19-2013 11:23 AM
OK, try to add:
nat (inside) 10 access-list policy-nat-two
---
Michal
01-19-2013 11:28 AM
Result of the command: "nat (inside) 10 access-list policy-nat-two"
The command has been sent to the device
Still not able to ping servers. Any ideas?
01-19-2013 11:45 AM
Config seems correct, let's verify it. please put results:
sh access-list policy-nat-two
sh run nat
sh run static
sh run global
---
Michal
01-19-2013 11:48 AM
Thanks Michal
Here you go:
Result of the command: "sh access-list policy-nat-two"
access-list policy-nat-two; 7 elements; name hash: 0x9bb12beb
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 0x4ccb1229
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.52 (hitcnt=0) 0x14b3f1b2
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.53 (hitcnt=0) 0xa64102f8
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.68 (hitcnt=0) 0x084d4d6b
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.69 (hitcnt=0) 0x11efd931
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.84 (hitcnt=0) 0xb81c7575
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.85 (hitcnt=0) 0x0d4c0fd0
access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.86 (hitcnt=0) 0x3609c421
Result of the command: "sh run nat"
nat (Outside) 10 access-list policy-nat-two
nat (Inside) 0 access-list NONAT
nat (Inside) 11 access-list policy-nat
nat (Inside) 10 access-list policy-nat-two
nat (Inside) 1 10.1.1.0 255.255.255.0
nat (Inside) 1 10.2.2.0 255.255.255.0
Result of the command: "sh run static"
The command has been sent to the device
Result of the command: "sh run global"
global (Outside) 1 interface
global (Outside) 11 78.129.151.105
global (Outside) 10 78.129.151.106
01-19-2013 11:54 AM
OK, it's good. Please test using Packet-tracer:
packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det
--
Michal
01-19-2013 11:56 AM
Here you go-
Result of the command: "packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow in interface Inside
access-list allow extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7fdb00, priority=12, domain=permit, deny=false
hits=8218854, user_data=0xa8a026c0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7b5738, priority=0, domain=inspect-ip-options, deny=true
hits=10460483, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7b53b0, priority=66, domain=inspect-icmp-error, deny=false
hits=575728, user_data=0xac7b5298, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 10 access-list policy-nat-two
match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 10 (78.129.151.106)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.255.255.10/0 to 78.129.151.106/45655 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xad432ec0, priority=2, domain=nat, deny=false
hits=1, user_data=0xad31e720, cs_id=0x0, flags=0x0, protocol=0
src ip=10.255.255.0, mask=255.255.255.0, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 10 access-list policy-nat-two
match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 10 (78.129.151.106)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad3f2390, priority=2, domain=host, deny=false
hits=2, user_data=0xad31e720, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.255.255.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad44a158, priority=70, domain=encrypt, deny=false
hits=6, user_data=0x0, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-19-2013 12:07 PM
Please add highlighted line on the no-nat ACL.
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
access-list NONAT extended permit ip 10.255.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
01-19-2013 12:10 PM
that's weird, could you test similar packet-tracer but for LAN:
packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det
?
I will compare difference.
We should not disable NAT for that traffic (mentioned NONAT rule), because
but the admin onsite says that NAT
should be used with the existing access and they won't add the additional rules due to a possible ip conflict
That means that remote side does not know (and does not want to know) how to respond to 10.255.255.0.
---
Michal
01-19-2013 12:21 PM
Here you go-
Result of the command: "packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow in interface Inside
access-list allow extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7fdb00, priority=12, domain=permit, deny=false
hits=8219841, user_data=0xa8a026c0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7b5738, priority=0, domain=inspect-ip-options, deny=true
hits=10461761, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac7b53b0, priority=66, domain=inspect-icmp-error, deny=false
hits=575760, user_data=0xac7b5298, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 11 access-list policy-nat
match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 11 (78.129.151.105)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.1.1.10/0 to 78.129.151.105/6130 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xac4566b0, priority=2, domain=nat, deny=false
hits=1, user_data=0xad6c32f0, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.1.0, mask=255.255.255.0, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 11 access-list policy-nat
match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 11 (78.129.151.105)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad4a64b0, priority=2, domain=host, deny=false
hits=5154, user_data=0xad6c32f0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.1.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad386010, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x2eceae4, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow out interface Outside
access-list allow extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac7fd888, priority=12, domain=permit, deny=false
hits=8302462, user_data=0xa8a02740, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12471061, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
01-19-2013 12:41 PM
Great. We have a difference.
Both types of traffic (LAN and remote VPN) are first correctly translated and then in step 8 we try to encrypt.
For remote VPN we have drop and "user_data=0x0" while for working scenario
user_data is not 0 and traffic is encrypted correctly.
#working for LAN traffic
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad386010, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x2eceae4, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x00000000
#non working for remote vpn traffic
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad44a158, priority=70, domain=encrypt, deny=false
hits=6, user_data=0x0, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x00000000
It might be the bug - but i can not confirm it now.
Could you try to:
no crypto map VPNPEER 1 match address MATCHJLS
(wait 5 seconds)
crypto map VPNPEER 1 match address MATCHJLS
Then test.
Also (this one will break all tunnels for 5 seconds):
no crypto map VPNPEER interface Outside
(wait 5 seconds)
crypto map VPNPEER interface Outside
Then test.
---
Michal
01-19-2013 12:46 PM
Hi Michal
Not sure I did those instructions entirely correct...
Here is the output. I waited 5 seconds where you specified. No change on access through client vpn.
Result of the command: "no crypto map VPNPEER 1 match address MATCHJLS"
WARNING: The crypto map entry will be incomplete!
Result of the command: "crypto map VPNPEER 1 match address MATCHJLS"
The command has been sent to the device
Result of the command: "no crypto map VPNPEER interface Outside"
The command has been sent to the device
Result of the command: "crypto map VPNPEER interface Outside"
The command has been sent to the device
01-19-2013 12:55 PM
OK, so removing/adding crypto-acl and crypto-map did not help.
We have 2 options:
1. You use pretty old 8.2.2. You can try with this image
asa825-33-k8.bin
And test with that version.
2. Call cisco TAC (you can ask there for me to be assigned to this case).
To troubleshoot it i would need to display some internal tables. It''s not a good place/way do troubleshoot that.
---
Michal
01-19-2013 01:00 PM
Thanks Michal
I tried to download the image but do not have a contract. The router is rented through our hosting provider. I'm not sure they will upgrade it for us but I can check on Monday.
Do you have any alternative suggestions?
Kind Regards
Graham
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: